KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

211

212

213

214

215

216

217

218

219

220

Depending on the ACL configuration in the RADIUS server, the ACLs described in this section filter

either IPv4 traffic only or both IPv4 and IPv6 traffic. These ACLs do not filter non-IP traffic such as

AppleTalk and IPX.

Contrasting RADIUS-assigned and static ACLs

Table 21 (page 216) highlights several key differences between the static ACLs configurable on

switch VLANs and ports, and the dynamic ACLs that can be assigned by a RADIUS server to filter

IP traffic from individual clients.

Table 21 Contrasting dynamic (RADIUS-assigned) and static ACLs

Static port and VLAN ACLsRADIUS-assigned ACLs

Configured on switch ports and VLANs.Configured in client accounts on a RADIUS server.

Designed for use where the filtering needs focus on static

configurations covering:

Designed for use on the edge of the network where filtering

of IP traffic entering the switch from individual,

authenticated clients is most important and where clients

• switched IP traffic entering from multiple authenticated

or unauthenticated sources (VACLs or static port ACLs)

with differing access requirements are likely to use the

same port.

• routed IPv4 traffic (RACLs)

• IP traffic from multiple sources and having a destination

on the switch itself

Client authentication not a factor.Implementation requires client authentication.

Identified by a number in the range of 1-199 or an

alphanumeric name.

Identified by the credentials (username/password pair or

the MAC address) of the specific client the ACL is intended

to service.

Supports static assignments to filter:Supports dynamic assignment to filter only the IP traffic

entering the switch from an authenticated client on the port

• switched IPv6 traffic entering the switch

to which the client is connected. (IPv6 traffic can be

• switched or routed IPv4 traffic entering the switch, or

routed IPv4 traffic leaving the switch.

switched; IPv4 traffic can be routed or switched. For either

IP traffic family, includes traffic having a DA on the switch

itself.)

Remains statically assigned to the port or VLAN.When the authenticated client session ends, the switch

removes the RADIUS-assigned ACL from the client port.

Simultaneously supports all of the following static

assignments affecting a given port:

Allows one RADIUS-assigned ACL per authenticated client

on a port. (Each such ACL filters traffic from a different,

authenticated client.)

• IPv4 traffic:

Note: The switch provides ample resources for supporting

RADIUS-assigned ACLs and other features. However, the

• inbound RACL

• outbound RACL

actual number of ACLs supported depends on the switch

current feature configuration and the related resource

• VACL

requirements. For more information, see the appendix titled

• static port ACL

"Monitoring Resources" in the Management and

Configuration Guide for your switch.

• IPv6 traffic:

• VACL

• static port ACL

Supports IPv6 ACLs and standard, extended, and

connection-rate IPv4 ACLs, see “Applying connection-rate

ACLs” (page 62).

Supports IPv6 ACLs and IPv4 extended ACLs. “IPv6 Access

Control Lists (ACLs)” in the IPv6 Configuration Guide for

your switch.

An RACL applied to inbound traffic on a VLAN filters routed

IPv4 traffic entering the switch through a port on that VLAN,

A given RADIUS-assigned ACL operates on a port to filter

only the IP traffic entering the switch from the authenticated

as well as any inbound traffic having a DA on the switchclient corresponding to that ACL, and does not filter IP

itself. An RACL can be applied to outbound IPv4 traffic ontraffic inbound from other authenticated clients. (The traffic

source is not a configurable setting.) a VLAN to filters routed IPv4 traffic leaving the switch

through a port on that VLAN (and includes routed IPv4

traffic generated by the switch itself).

216 RADIUS server support for switch services